Non Domain admin account can not relay via Exchange 2013 SMTP (Network Steve Forum)

Non Domain admin account can not relay via Exchange 2013 SMTP

HI, fiends.

Non Domainadmin account cannot relay via Exchange 2013 SMTP, any domain user account added to Domain admin security group can relay via SMTP Server.

Error message is as follows

Delivery to the following recipient failed permanently: noufal@web.net.xx Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the relay mail. web.net.xx by mail.web.net.xx. [213.130.xxx.xxx] the other server returned was: 550 5.7.1 Client does not have permissions to send as this sender.

Settings are attached

Please help

September 7th, 2015 7:01am

Hi,

You can set up anonymous relay through Exchange for a particular set of client IPs. See more here: http://markgossa.blogspot.co.uk/2015/09/exchange-2013-anonymous-email-relay.html.

If you cannot lock it down to client IPs then you can add rights to the user/group on the receive connector. The user needs the rights to send to any recipient:

Get-ReceiveConnector "Receive connector name" | Add-ADPermission -User "domain\group" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Let me know if this answers your question.

Thanks.

Free Windows Admin Tool Kit Click here and download it now

September 7th, 2015 8:14am

I want to enable relay from all Public IPs not specific range. Anonymous access should be blocked and only authenticated user should be allowed to relay

September 7th, 2015 12:56pm

Hi,

Please run the following command to have a try:

Get-ReceiveConnector | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRigths ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Get-ReceiveConnector | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRigths ms-Exch-SMTP-Accept-Any-Sender

Then restart related Exchange transport service to check whether the issue persists.

Regards,

Free Windows Admin Tool Kit Click here and download it now

September 8th, 2015 4:44am

Applied the below command, but failed again.

Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

************************

Technical details of permanent failure:

Google tried to deliver your message, but it was rejected by the relay mail.web.net.xx by mail.web.net.xx. [213.130.xxx.xxx].

The error that the other server returned was:
550 5.7.1 Client does not have permissions to send as this sender

September 8th, 2015 5:25am

Hi,

I found a similar thread about your issue:

https://social.technet.microsoft.com/Forums/exchange/en-US/e763de97-88a1-494d-9841-4f3a466b5604/exchange-550-571-client-does-not-have-permissions-to-send-as-this-sender?forum=exchangesvradminlegacy

Please check the send as permission for NT_Authority\self in Exchange server 2013 EAC or EMS. If it is missing, please add it in EAC.

Regards,

Free Windows Admin Tool Kit Click here and download it now

September 8th, 2015 5:47am

Can you test this internally? Use Send-MailMessage and specify the smtpserver, port and credential parameters so you are using the same as above. See if you get the same error.

There may be a few things at play here. It may be the NAT is using allowing connections to a different CAS or a CAS array, TLS issues, authentication issues (bad domain/password etc). This eliminates a few things.

Also, check that you have the default permission groups and authentication settings on the client frontend receive connector.

Run the below command to check you don't have any deny permissions for the authenticated users group or the user you are using or the groups the user is a member of:

Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users"

Thanks.

September 8th, 2015 10:22am

Please check the below output

Get-ReceiveConnector "Client Frontend MAIL" | Get-ADPermission -User "NT AUTHORITY\Authenticate
d Users" | fl

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {GenericAll}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : None

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All

User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
Deny : True
AccessRights : {ReadProperty}
IsInherited : True
Properties : {ms-Exch-Availability-User-Password}
ChildObjectTypes :
InheritedObjectType : ms-Exch-Availability-Address-Space
InheritanceType : Descendents

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 2:05am

Hi Noufal,

What is the sending user email ID and what is the from ID used.

Try adding SendAs rights to the user first. As you are authenticating exchange might be intervining for the permissions.

Add-ADPermission -Identity "noufal@domain.com" -User "SomeUserUsingGmail" -AccessRights ExtendedRight -ExtendedRights "Send As"

And as suggested by Mark, I don't see the Ms-Exch-SMTP-Accept-Any-Recipient permission on the connector.

Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "NT AUTHORITY\Authenticated Users" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

September 9th, 2015 5:56am

Please can your run this command and post the output. It's the same as what you ran in a previous post except that there is an * at the end which shows the content of the ExtendedRights array.

Get-ReceiveConnector "Client Frontend MAIL" | Get-ADPermission -User "NT AUTHORITY\Authenticate
d Users" | fl *

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 6:12am

[PS] C:\Windows\system32>Get-ReceiveConnector "Client Frontend MAIL" | Get-ADPermission -User "NT AUTHORITY\Authenticated Users" | fl *

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {GenericAll}
ExtendedRights :
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : None
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Bypass-Anti-Spam}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Submit}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-Accept-Headers-Routing}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ExtendedRight}
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Sender}
ChildObjectTypes :
InheritedObjectType :
Properties :
Deny : False
InheritanceType : All
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : False
IsValid : True
ObjectState : Unchanged

PSComputerName : mail.web.net.xx
RunspaceId : 8b797a9c-a017-4d6c-a65d-bc8b7422aa10
PSShowComputerName : False
AccessRights : {ReadProperty}
ExtendedRights :
ChildObjectTypes :
InheritedObjectType : ms-Exch-Availability-Address-Space
Properties : {ms-Exch-Availability-User-Password}
Deny : True
InheritanceType : Descendents
User : NT AUTHORITY\Authenticated Users
Identity : MAIL\Client Frontend MAIL
IsInherited : True
IsValid : True
ObjectState : Unchanged

[PS] C:\Windows\system32>

Edited by Noufal 20 hours 24 minutes ago

September 9th, 2015 6:33am

We are using Gmail as a POP3/SMTP client, and using the organizational address for sending; not Gmail address. Applied the following command and see the result. test@web.net.xx is the new address configured in the Gmail setting configured for authenticated relay.

********************************
[PS] C:\Windows\system32>Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "NT AUTHORITY\Authenticate
d Users" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
WARNING: The appropriate access control entry is already present on the object "CN=Client Frontend MAIL,CN=SMTP Receive
Connectors,CN=Protocols,CN=MAIL,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=islamweb,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=islamweb,DC=net,DC=qa" for account "NT
AUTHORITY\Authenticated Users".

Identity User Deny Inherited
-------- ---- ---- ---------
MAIL\Client Front... NT AUTHORITY\Auth... False False
**************************************************************

C:\Windows\system32>Get-ReceiveConnector "Client Frontend MAIL" | Add-ADPermission -User "test@web.net.xx" -AccessRights ExtendedRight
-ExtendedRights "All"

ity User Deny Inherited
--- ---- ---- ---------
Client Front... web\test False False

********************************************************

Delivery to the following recipient failed permanently:

noufal@web.net.xx

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the relay mail.web.net.xx by mail.web.net.xx. [213.130.105.165].

The error that the other server returned was:
550 5.7.1 Client does not have permissions to send as this sender

----- Original message -----

MIME-Version: 1.0
X-Received: by 10.194.179.37 with SMTP id dd5mr54379138wjc.129.1441795419059;
Wed, 09 Sep 2015 03:43:39 -0700 (PDT)
Received: by 10.28.27.7 with HTTP; Wed, 9 Sep 2015 03:43:39 -0700 (PDT)
Date: Wed, 9 Sep 2015 13:43:39 +0300
Message-ID: <CAODYGAviVxokYD9BnE6F4qhbHateYmobKcm4_odH1iWirmROsA@mail.gmail.com>
Subject: 88888888888888888
From: Test web <test@web.net.xx>
To: Noufal Abdurahiman <noufal@web.net.xx>
Content-Type: multipart/alternative; boundary=089e013d1d3ccabe27051f4e27a3

8hhhhhhhhhhhhhhhhhhh

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 7:02am

Please can you ensure that the user that you are using for authentication has the email address you are sending from or ensure that the user account has sendas permissions on the email address you're sending from. Try both approaches.

Thanks.

September 9th, 2015 8:19am

Edited by Noufal Wednesday, September 09, 2015 10:59 AM

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 10:31am

Hi Noufal,

According to your further posting, I know that you want a Gmail account to send as an Exchange account in your organization. Is it right? If I misunderstand, please feel free to point it out.

If that is the case, please make sure this Gmail account has Send As permission to use another email address to send message. We can create a Mail User for this Gmail account in your Exchange server and assign Send As permission to this Mail User to have a try. For example, if User1@gmail.com want to send as Test@domain.com mailbox, we can do:

1. Create Mail User:

$password = Read-Host "Enter password" -AsSecureString
New-MailUser -Name "Gmail user1" -Password $password -ExternalEmailAddress user1@gmail.com -UserPrincipalName user1@domain.com -OrganizationalUnit domain.com

2. Assign Send As permission:

Add-ADPermission test@domain.com -User "Gmail User1" -Extendedrights "Send As"

3. Restart Microsoft Exchange Information store service in Exchange server.

Send test message to have a try.

Regards,

September 9th, 2015 10:53pm

I check again right now, relay is working properly when I add test domain user account to Domain admin group otherwise no

Delivery to the following recipient failed permanently: noufal@web.net.xx Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the relay mail.web.net.xx by mail.web.net.xx. [213.130.---.---]. The error that the other server returned was: 550 5.7.1 Client does not have permissions to send as this sender ----- Original message ----- MIME-Version: 1.0 X-Received: by 10.180.24.72 with SMTP id s8mr3068938wif.49.1441868545930; Thu, 10 Sep 2015 00:02:25 -0700 (PDT) Received: by 10.28.27.7 with HTTP; Thu, 10 Sep 2015 00:02:25 -0700 (PDT) Date: Thu, 10 Sep 2015 10:02:25 +0300 Message-ID: <CAODYGAuFuq2az4qOxq_gFqeCQME87wo+JAtATNAE=YNwMte-+Q@mail.gmail.com> Subject: at 10 am From: Test Islamweb <test@web.net.xx> To: Noufal Abdurahiman <noufal@web.net.xx> Content-Type: multipart/alternative; boundary=f46d0438933f7e3cb8051f5f2e8e

Free Windows Admin Tool Kit Click here and download it now

September 10th, 2015 3:09am

the account used for "sending from" and authentication are same account.

September 10th, 2015 3:18am

You are mistaken, configuration has nothing to do with Gmail account. Gmail can be configured as a POP3/SMTP-TLS client like outlook express. From address is the same organization address used.

Free Windows Admin Tool Kit Click here and download it now

September 10th, 2015 3:22am

I suspect that the emails are not using the receive connector. Do you have any other receive connectors using port 587? If so, Gmail will be connected to one of these.

Other things you can try:

Check that the NAT is configured correctly and that you're configuring the correct server and correct IP on the server. Check that the receive connector is configured to listen on the correct IP.

Turn on verbose logging on the receive connector, try send an email again then wait a few minutes for it to appear in the logs for that receive connector. If nothing appears then you probably have one of the above issues.

Also, try use the below command to send a message using the same account:

$cred = Get-Credential

Send-MailMessage -To recipient@domain.com -From sender@domain.com -Subject "Test email" -SMTPServer InternalIPofExchangeServer -Credential $cred

Thanks.

September 10th, 2015 5:04am

Excellent point on the port binding Mark!

Noufal,

Oufal@web.net.xx is trying to SendAs test@web.net.xx.

Please check and confirm you can send this email internally using Outlook or OWA.

Once done, test using Gmail.

Free Windows Admin Tool Kit Click here and download it now

September 10th, 2015 7:30am

This topic is archived. No further replies will be accepted.